nginxinc/nginx-service-mesh

NGINX Ingress doesnt use TrafficSplit (North-South)

xavipanda opened this issue · 1 comments

xavipanda commented

Hi,

I deployed nginx-service-mesh, and works good. Created some TrafficSplit around and the pods within the mesh (west-east) gets load balanced by the trafficsplit.

The problem is that NGINX ingress (non plus) seems to ignore at all the TrafficSplit.
I've tried to make this work with flagger, but also no lucky.. the ingress doesn't sends traffic at all to the canary (even creating a manual TrafficSplit)

I followed all the docs and tried everything around... any idea??
Is North-South only a NGINX Plus feature or what ????

version: 0.9.1

TrafficSplit SMI

apiVersion: split.smi-spec.io/v1alpha3
kind: TrafficSplit
metadata:
  generation: 3
  name: svcinfo
  namespace: canary
spec:
  backends:
  - service: svcinfo
    weight: 90
  - service: svcinfo-canary
    weight: 10
  service: svcinfo

Ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app: svcinfo
  name: svcinfo
  namespace: canary
spec:
  rules:
  - host: something.com
    http:
      paths:
      - backend:
          serviceName: svcinfo
          servicePort: 80

Flagger CRD

apiVersion: flagger.app/v1beta1
kind: Canary
metadata:
  name: svcinfo
  namespace: canary
spec:
  provider: nginx
  # deployment reference
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: svcinfo
  ingressRef:
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    name: svcinfo
  autoscalerRef:
    apiVersion: autoscaling/v2beta2
    kind: HorizontalPodAutoscaler
    name: svcinfo
  progressDeadlineSeconds: 60
  service:
    port: 80
    targetPort: 9898
  analysis:
    interval: 10s
    threshold: 10
    maxWeight: 50
    stepWeight: 5
    metrics:
    - name: request-success-rate
      # minimum req success rate (non 5xx responses)
      # percentage (0-100)
      thresholdRange:
        min: 99
      interval: 1m

Traffic West-East: (balance with canary)

  "hostname": "svcinfo-primary-84469b949f-jldnw",
  "hostname": "svcinfo-primary-84469b949f-jwmqs",
  "hostname": "svcinfo-primary-84469b949f-jldnw",
  "hostname": "svcinfo-79996f9b76-zt5v6",
  "hostname": "svcinfo-primary-84469b949f-jwmqs",
  "hostname": "svcinfo-primary-84469b949f-jldnw",

Traffic North-South: (always same)

  "hostname": "svcinfo-primary-84469b949f-jldnw",
  "hostname": "svcinfo-primary-84469b949f-jldnw",
  "hostname": "svcinfo-primary-84469b949f-jwmqs",
  "hostname": "svcinfo-primary-84469b949f-jldnw",

any help ?

malanmurphy commented

@xavipanda Thanks for the feedback on NGINX Service Mesh (NSM); glad it's working well for E/W. :) I believe the non-plus version of NGINX Ingress Controller does support traffic splits, but since NSM only supports direct integration with NGINX Plus Ingress Controller then I don't know how much help we can be with configuring non-plus. Your best bet is to reach out with an issue on that repo for help on traffic splitting: https://github.com/nginxinc/kubernetes-ingress/issues

Assuming it does work, the non-plus Ingress Controller won't be able to participate in mTLS certificate exchange with NSM so you'll need to route traffic from ingress to a service in NSM that supports receiving non-mTLS traffic (setting mTLS to permissive or off).

Hope that helps.